Yesterday, the Syrian Electronic Army (SEA) compromised a US customer identity management platform, Gigya, which is used by many high profile news websites.

In a blog post, Gigya CEO Patrick Salyer explained how the hacker group accomplished its mission via DNS redirects:

At approximately 6:45 AM EST we identified sporadic failures with access to our service. An initial inquiry has revealed that there was a breach at our domain registrar that resulted in the WHOIS record of gigya.com being modified to point to a different DNS server.

That DNS server had been configured to point Gigya's CDN domain (cdn.gigya.com) to a server controlled by the hackers, where they served a file called "socialize.js" with an alert claiming that the site had been hacked by the Syrian Electronic Army.

This meant that some, but not all, visitors to sites including CBC, CNBC, Forbes, OK magazine, The Chicago Tribune, The Daily Telegraph, The Independent and The New York Times were met with a message saying “You’ve been hacked by the Syrian Electronic Army (SEA).”

Other visitors were directed to an image of the group’s crest set against a black background.

The defacement seems to have been pretty short lived – a Naked Security reader reported a site that had shown him SEA material, and although we checked into it almost immediately, we found only the content we expected.

The SEA confirmed the attack via a tweet, which displays what appears to be a screenshot of the control panel for the Gigya.com domain at GoDaddy:

Salyer confirmed no user, administrator or operational data was compromised at Gigya and said the company has now put further security measures into place to ensure it is protected from another such attack in the future.

He also confirmed that DNS records had been restored but did note that the change may take some time to propagate across the whole of the internet.

One comment on “Syrian Electronic Army returns with Thanksgiving press hack”

The Gigya CEO wrote: “At approximately 6:45 AM EST we identified sporadic failures with access to our service. An initial inquiry has revealed that there was a breach at our domain registrar that resulted in the WHOIS record of gigya.com being modified to point to a different DNS server.”

Umm, hacking the WHOIS record would not affect what web-page/frame/image was displayed. You would have to hack–err, modify–the A records to do that.

When the CEO reads a prepared statement with a gaffe like that, it reflects badly on the company’s credibility.